Your message dated Tue, 28 Jun 2005 16:02:51 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#315115: fixed in sudo 1.6.8p9-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 20 Jun 2005 17:04:47 +0000
>From [EMAIL PROTECTED] Mon Jun 20 10:04:47 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mail3b.westend.com (mail3b1.westend.com) [212.117.79.78]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DkPhW-0005Mj-00; Mon, 20 Jun 2005 10:04:46 -0700
Received: from localhost (localhost [127.0.0.1])
by mail3b1.westend.com (Postfix) with ESMTP id 0D26FC190
for <[EMAIL PROTECTED]>; Mon, 20 Jun 2005 19:04:45 +0200 (CEST)
Received: from mail3b1.westend.com ([127.0.0.1])
by localhost (mail3b [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 28557-02 for <[EMAIL PROTECTED]>;
Mon, 20 Jun 2005 19:04:42 +0200 (CEST)
Received: by mail3b1.westend.com (Postfix, from userid 1000)
id 8E8DEC18D; Mon, 20 Jun 2005 19:04:42 +0200 (CEST)
Date: Mon, 20 Jun 2005 19:04:42 +0200
From: Christian Hammers <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: [bugtraq] Sudo version 1.6.8p9 now available, fixes security issue.
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="yrj/dFKFPuw6o+aM"
Content-Disposition: inline
User-Agent: Mutt/1.3.28i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-1.6 required=4.0 tests=BZ_TLD,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--yrj/dFKFPuw6o+aM
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
Package: sudo
Severity: critical
Tags: security
Version: 1.6.8p7-1.1
Please see attached announcement.
bye,
-christian-
--yrj/dFKFPuw6o+aM
Content-Type: message/rfc822
Content-Disposition: inline
Return-Path: <[EMAIL PROTECTED]>
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: from localhost (localhost [127.0.0.1])
by mail3b2.westend.com (Postfix) with ESMTP id 95E291212B4
for <[EMAIL PROTECTED]>; Mon, 20 Jun 2005 18:58:45 +0200 (CEST)
Received: from mail3b2.westend.com ([127.0.0.1])
by localhost (mail3b [127.0.0.1]) (amavisd-new, port 20024)
with ESMTP id 24249-05 for <[EMAIL PROTECTED]>;
Mon, 20 Jun 2005 18:58:37 +0200 (CEST)
Received: from outgoing.securityfocus.com (outgoing.securityfocus.com
[205.206.231.26])
by mail3b2.westend.com (Postfix) with ESMTP id 7013412126A
for <[EMAIL PROTECTED]>; Mon, 20 Jun 2005 18:58:37 +0200 (CEST)
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
via smtpd (for mail3b2.westend.com [212.117.79.69]) with ESMTP; Mon,
20 Jun 2005 09:58:37 -0700
Received: from lists2.securityfocus.com (lists2.securityfocus.com
[205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id C28BA152FA3; Mon, 20 Jun 2005 09:10:36 -0600 (MDT)
Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:[EMAIL PROTECTED]>
List-Unsubscribe: <mailto:[EMAIL PROTECTED]>
List-Subscribe: <mailto:[EMAIL PROTECTED]>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 10121 invoked from network); 20 Jun 2005 06:47:16 -0000
Message-Id: <[EMAIL PROTECTED]>
To: bugtraq@securityfocus.com
Subject: [bugtraq] Sudo version 1.6.8p9 now available, fixes security issue.
Date: Mon, 20 Jun 2005 08:24:43 -0600
From: "Todd C. Miller" <[EMAIL PROTECTED]>
X-Spam-Status: No, hits=-13.2 tagged_above=-999.0 required=5.0 tests=AWL,
DNS_FROM_RFC_POST, RAZOR2_CF_RANGE_51_100, RAZOR2_CHECK,
SPF_HELO_PASS, SPF_PASS, USER_IN_DEF_WHITELIST
X-Spam-Level:
Sudo version 1.6.8, patchlevel 9 is now available, which fixes a
race condition in Sudo's pathname validation. This is a security
issue.
Summary:
A race condition in Sudo's command pathname handling prior to
Sudo version 1.6.8p9 that could allow a user with Sudo privileges
to run arbitrary commands.
Sudo versions affected:
Sudo versions 1.3.1 up to and including 1.6.8p8.
Details:
When a user runs a command via Sudo, the inode and device numbers
of the command are compared to those of commands with the same
basename found in the sudoers file (see the Background paragraph
for more information). When a match is found, the path to the
matching command listed in the sudoers file is stored in the
variable safe_cmnd, which is later used to execute the command.
Because the actual path executed comes from the sudoers file
and not directly from the user, Sudo should be safe from race
conditions involving symbolic links. However, if a sudoers
entry containing the pseudo-command ALL follows the user's
sudoers entry the contents of safe_cmnd will be overwritten
with the path the user specified on the command line, making
Sudo vulnerable to the aforementioned race condition.
Impact:
Exploitation of the bug requires that the user be allowed to
run one or more commands via Sudo and be able to create symbolic
links in the filesystem. Furthermore, a sudoers entry giving
another user access to the ALL pseudo-command must follow the
user's sudoers entry for the race to exist.
For example, the following sudoers file is not affected by the
bug:
root server=ALL
someuser server=/bin/echo
Whereas this one would be:
someuser server=/bin/echo
root server=ALL
Fix:
The bug is fixed in sudo 1.6.8p9.
Workaround:
The administrator can order the sudoers file such that all
entries granting Sudo ALL privileges precede all other entries.
Credit:
This problem was brought to my attention by Charles Morris.
Background:
The reason Sudo uses the inode for command matching is to make
relative paths work and to avoid problems caused by automounters
where the path to be executed is not the same as the absolute
path to the command.
Another possible approach is to use the realpath() function to
find the true path. Sudo does not user realpath() because that
function is not present in all operating systems and is often
vulnerable to race conditions where it does exist.
The next major Sudo release will be version 1.7. For information
on what to expect in sudo 1.7, see http://www.sudo.ws/sudo/future.html
You can help speed the release of Sudo 1.7 by purchasing a support
contract or making a donation (see below).
Commercial support is available for Sudo. If your organization
uses Sudo, please consider purchasing a support contract to help
fund future Sudo development at http://www.sudo.ws/support.html
Custom enhancements to Sudo may also be contracted.
You can also help out by making a donation or "purchase" a copy
of Sudo at http://www.sudo.ws/purchase.html
Master Web Site:
http://www.sudo.ws/sudo/
Web Site Mirrors:
http://www.mirrormonster.com/sudo/ (Fremont, California, USA)
http://sudo.stikman.com/ (Los Angeles, California, USA)
http://sudo.tolix.org/ (California, USA)
http://mirage.informationwave.net/sudo/ (Fanwood, New Jersey, USA)
http://www.mrv2k.net/sudo/ (Bend, Oregon, USA)
http://sudo.rtin.bz/ (Philadelphia, Pennsylvania, USA)
http://www.signal42.com/mirrors/sudo_www/ (USA)
http://sudo.xmundo.net/ (Argentina)
http://sudo.planetmirror.com/ (Australia)
http://mirror.mons-new-media.de/sudo/ (Germany)
http://sunshine.lv/sudo/ (Latvia)
http://rexem.uni.cc/sudo/ (Kaunas, Lithuania)
http://sudo.cdu.elektra.ru/ (Russia)
http://sudo.nctu.edu.tw/ (Taiwan)
FTP Mirrors:
ftp://plier.ucar.edu/pub/sudo/ (Boulder, Colorado, USA)
ftp://ftp.cs.colorado.edu/pub/sudo/ (Boulder, Colorado, USA)
ftp://obsd.isc.org/pub/sudo/ (Redwood City, California, USA)
ftp://ftp.stikman.com/pub/sudo/ (Los Angeles, California, USA)
ftp://ftp.tux.org/pub/security/sudo/ (Beltsville, Maryland, USA)
ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/sudo/ (West Lafayette,
Indiana, USA)
ftp://ftp.uwsg.indiana.edu/pub/security/sudo/ (Bloomington, Indiana, USA)
ftp://ftp.rge.com/pub/admin/sudo/ (Rochester, New York, USA)
ftp://mirror.sg.depaul.edu/pub/security/sudo/ (Chicago, Illinois, USA)
ftp://sudo.xmundo.net/pub/mirrors/sudo/ (Argentina)
ftp://ftp.wiretapped.net/pub/security/host-security/sudo/ (Australia)
ftp://ftp.tuwien.ac.at/utils/admin-tools/sudo/ (Austria)
ftp://sunsite.ualberta.ca/pub/Mirror/sudo/ (Alberta, Canada)
ftp://ftp.csc.cuhk.edu.hk/pub/packages/unix-tools/sudo/ (Hong Kong, China)
ftp://ftp.eunet.cz/pub/security/sudo/ (Czechoslovakia)
ftp://ftp.ujf-grenoble.fr/sudo/ (France)
ftp://netmirror.org/ftp.sudo.ws/ (Frankfurt, Germany)
ftp://ftp.win.ne.jp/pub/misc/sudo/ (Japan)
ftp://ftp.st.ryukoku.ac.jp/pub/security/tool/sudo/ (Japan)
ftp://ftp.cin.nihon-u.ac.jp/pub/misc/sudo/ (Japan)
ftp://core.ring.gr.jp/pub/misc/sudo/ (Japan)
ftp://ftp.ring.gr.jp/pub/misc/sudo/ (Japan)
ftp://ftp.tpnet.pl/d6/ftp.sudo.ws/ (Poland)
ftp://ftp.cdu.elektra.ru/pub/unix/security/sudo/ (Russia)
ftp://ftp.nsysu.edu.tw/Unix/Security/Sudo/ (Taiwan)
HTTP Mirrors:
http://www.mirrormonster.com/sudo/dist/ (Fremont, California, USA)
http://sudo.tolix.org/ftp/ (California, USA)
http://sudo.mirror99.com/ (San Jose, California, USA)
http://www.signal42.com/mirrors/sudo_ftp/ (California, USA)
http://www.rge.com/pub/admin/sudo/ (Rochester, New York, USA)
http://probsd.org/sudoftp/ (East Coast, USA)
http://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/sudo/ (West Lafayette,
Indiana, USA)
http://www.signal42.com/mirrors/sudo_ftp/ (California, USA)
http://netmirror.org/mirror/ftp.sudo.ws/ (Frankfurt, Germany)
http://mirror.mons-new-media.de/sudo_ftp/ (Frankfurt, Germany)
http://core.ring.gr.jp/archives/misc/sudo/ (Japan)
http://www.ring.gr.jp/archives/misc/sudo/ (Japan)
http://ftp.tpnet.pl/vol/d6/ftp.sudo.ws/ (Poland)
http://sudo.tsuren.net/dist/ (Moscow, Russian Federation)
http://ftp.nsysu.edu.tw/Unix/Security/Sudo/ (Taiwan)
--yrj/dFKFPuw6o+aM--
---------------------------------------
Received: (at 315115-close) by bugs.debian.org; 28 Jun 2005 20:09:25 +0000
>From [EMAIL PROTECTED] Tue Jun 28 13:09:25 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DnMOb-00081f-00; Tue, 28 Jun 2005 13:09:25 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DnMIF-0008A8-00; Tue, 28 Jun 2005 16:02:51 -0400
From: Bdale Garbee <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#315115: fixed in sudo 1.6.8p9-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Tue, 28 Jun 2005 16:02:51 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Source: sudo
Source-Version: 1.6.8p9-1
We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive:
sudo_1.6.8p9-1.diff.gz
to pool/main/s/sudo/sudo_1.6.8p9-1.diff.gz
sudo_1.6.8p9-1.dsc
to pool/main/s/sudo/sudo_1.6.8p9-1.dsc
sudo_1.6.8p9-1_i386.deb
to pool/main/s/sudo/sudo_1.6.8p9-1_i386.deb
sudo_1.6.8p9.orig.tar.gz
to pool/main/s/sudo/sudo_1.6.8p9.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bdale Garbee <[EMAIL PROTECTED]> (supplier of updated sudo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 28 Jun 2005 15:33:11 -0400
Source: sudo
Binary: sudo
Architecture: source i386
Version: 1.6.8p9-1
Distribution: unstable
Urgency: high
Maintainer: Bdale Garbee <[EMAIL PROTECTED]>
Changed-By: Bdale Garbee <[EMAIL PROTECTED]>
Description:
sudo - Provide limited super user privileges to specific users
Closes: 315115 315718
Changes:
sudo (1.6.8p9-1) unstable; urgency=high
.
* new upstream version, fixes a race condition in sudo's pathname
validation, which is a security issue (CAN-2005-1993),
closes: #315115, #315718
Files:
e2e0775f3e6df6ad492c8865324626ba 567 admin optional sudo_1.6.8p9-1.dsc
6d0346abd16914956bc7ea4f17fc85fb 585509 admin optional sudo_1.6.8p9.orig.tar.gz
d2465319cef04fcc3dd46ab4fbb83244 20150 admin optional sudo_1.6.8p9-1.diff.gz
7ad87187742f906dfffde408598cc0a1 159608 admin optional sudo_1.6.8p9-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFCwaglZKfAp/LPAagRAv8KAJ4hDeOlBRe4LDe7Tr3PSPnuP8eKLQCfSUMY
ehNiYDJWKirfmDgnx4DltKk=
=EpVl
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
